On Mon, 2023-07-03 at 10:50 +0200, Peter van Dijk wrote: > On Fri, 2023-06-30 at 16:32 +0000, Paul Hoffman via dnsdir wrote: > > The current wording at the end of 4.6.9 is: > > But if `R` is unsuccessful (e.g. timeout or connection closed): > > > > I believe that changing that to the following would fix the problem you > > describe: > > But if `R` is unsuccessful (RCODE other than 0, timeout, connection > > closed): > > > > Does that fix your case and not break other cases? > > You need to allow, at a minimum, RCODE 3 (NXDomain) too.
After a poke from Paul, a clearer version: both RCODE 0 and RCODE 3 can be good responses from an auth. (In hindsight, it's a terrible mistake that 1035 calls RCODE 3 "Name Error" - it's not an error.) Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
